RE: New Liaison Statement, "Liaison to IETF on the resolution of DR320"

[Tom Gindin <tgindin@us.ibm.com>]

        I know this response is a little late, but the main reason that 
there is no central repository for CA names is that there is no world-wide 
directory using X.500 names.  For reasons which have been discussed many 
times on this list, there probably never will be.  Of course,  the IETF 
knows of an existing registry which could be used to avoid conflicts 
between CA names.
        How about the following wording: "Certificate Authorities SHOULD 
NOT use a value in the Organization or Common Name attribute of their 
Distinguished Name which is syntactically legal as a dNSName (i.e. an IA5 
string containing one or more periods but no spaces) unless they are 
operated by an organization which has registered the domain name 
controlling that dNSName.  Certificate Authorities wishing to ensure a 
globally unique issuer name MAY use an IA5 FQDN controlled by their 
organization in either the Organization or the Common Name attribute." 
Does anybody want to add Organizational Unit into the mix, and possibly 
even make it a SHOULD for newly allocated CA's?
        Given my unfamiliarity with non-alphabetic scripts, I hesitate to 
discuss internationalized DNS names in this connection unless Punycode is 
relevant.  However, even without considering DR 320, using somebody else's 
domain name as your CN or O attribute is misleading.

                Tom Gindin

P.S. -  The opinions above are mine, and not necessarily those of my 
employer



Ryan Hurst <Ryan.Hurst@microsoft.com> 
Sent by: owner-ietf-pkix@mail.imc.org
10/09/2007 08:47 PM

To
Paul Hoffman <paul.hoffman@vpnc.org>, Russ Housley <housley@vigilsec.com>, 
"ietf-pkix@imc.org" <ietf-pkix@imc.org>
cc

Subject
RE: New Liaison Statement, "Liaison to IETF on the resolution   of  DR320"







All of these statements are true.

Words fail me is as fine a response to that as any...

________________________________________
From: owner-ietf-pkix@mail.imc.org [owner-ietf-pkix@mail.imc.org] On 
Behalf Of Paul Hoffman [paul.hoffman@vpnc.org]
Sent: Tuesday, October 09, 2007 3:25 PM
To: Russ Housley; ietf-pkix@imc.org
Subject: Re: New Liaison Statement, "Liaison to IETF on the resolution of 
DR320"

The ITU statement says the following:

>>One of the participants in the directory meeting stated that
>>Certification Authorities are being deployed with names not
>>acquired from naming authorities but with names arbitrarily chosen
>>assuming that no other CA is or will be operating under that name.

That is, of course, true. There is no central repository for CA names
because there is no central authority for CAs.

>>That participant further stated that the IETF provides no
>>guidelines on ensuring that the names of CAs are unambiguous.

That is true.

>>The directory group requests the IETF PKIX group to comment on this
>>statement.

Should we make a consensus call on "that is true"?

>>If the statement is correct, we ask the IETF to consider putting a
>>mechanism in place to prevent conflict, e.g. a list of existing CA
>>names that deployers of new CAs could check for naming conflicts.

Words fail me.

--Paul Hoffman, Director
--VPN Consortium